I really don't have a specific answer for you but I have never heard of anyone having a problem with this. Out of curiosity, I took a look at my Linux Mint /etc/apt/directories and they are http only as well but there is also a gpg signature file present. As Mint had their main download sites hacked a while ago makes them pretty sensitive to the risk. Being one of the most popular of Linux distros has its downside.
Relative to more popular x86 based distros or windows updates, RPi is a pretty small target for hackers to bother with. That, plus the problem of updated files coming from a wide range of souces probably makes getting https certificates complicated and difficult. It may never happen but they probably also limit write access to those files/directories. You don't need to worry about it much but do check the "Announcements" forum here on a regular basis.